GDPR and Cybersecurity: A Practical Guide - Strategies, Technology, and Operationalization of Compliance

Introduction

The contemporary digital ecosystem functions under conditions of unprecedented convergence of legal requirements and technological challenges. The General Data Protection Regulation (GDPR), which entered into force in May 2018, permanently changed how organizations must view information security.

Data protection has ceased to be merely a compliance issue, but has become a fundamental engineering and operational requirement. Article 32 of the GDPR constitutes the legal foundation for cybersecurity in the EU, imposing an obligation to implement technical and organizational measures appropriate to the risk.

The aim of this document is to provide an operational roadmap for DPOs, IT managers, and CISOs, allowing for the building of real organizational resilience.

Chapter I: Legal and Technical Foundations of Processing Security (Article 32 GDPR)

1.1. Evolution from Rigid Requirements to a Risk-Based Approach

GDPR introduced a revolutionary change through the risk-based approach. Article 32 does not dictate specific technologies but requires measures that are "appropriate" to the identified risk to the rights and freedoms of natural persons.

The controller must demonstrate that they have exercised due diligence, taking into account the "state of the art."
This concept is dynamic – a solution considered secure in 2018 (e.g., SHA-1) may currently be insufficient.
Risk analysis must be a continuous process.

1.2. CIA Triad vs. GDPR Requirements: An Expanded Perspective

GDPR expands the classic CIA triad (Confidentiality, Integrity, Availability) with the element of Resilience.

| Security Attribute | Legal-Technical Definition in GDPR | Examples of Threats | Technical Mitigation Measures | | : | : | : | : | | Confidentiality | Guarantee that data will not be disclosed to unauthorized entities. | SQL database leak, unauthorized access to records, theft of an unencrypted laptop. | Encryption (at rest/in transit), access control (RBAC), DLP. | | Integrity | Assurance that data is accurate, complete, and has not been modified. | Malicious data modification, write errors (bit rot), ransomware encrypting files. | Checksums (hashing), digital signatures, version control systems, change logging. | | Availability | Assurance that data is available on demand within the required time. | DDoS attack, data center failure, loss of decryption key. | Redundancy (HA), load balancing, Disaster Recovery, backup testing. | | Resilience | Ability of systems to survive an incident and quickly return to a normal state. | Complex APT attack, pandemic, natural disaster. | Penetration testing, BCP, fault-tolerant architecture, supplier diversification. |

1.3. Pseudonymization as a Key Security Measure

Pseudonymization (Art. 32(1)(a)) makes it impossible to attribute data to a person without additional information. Technical forms:

Tokenization: Replacing a value with a random token.
Encryption with a key: Data is unreadable without the key.
Salted Hashing: Hash function with a random value.

Note: Pseudonymization is not anonymization. Pseudonymized data is still subject to GDPR.

1.4. Accountability Principle

The controller must be able to demonstrate compliance with regulations (Art. 5(2) GDPR). This requires maintaining documentation (policies, audit reports, incident registers) proving that measures are the result of risk analysis.

Chapter II: Risk Analysis Methodology and Data Protection Impact Assessment (DPIA)

2.1. Risk Management Process Architecture

The process based on ISO/IEC 27005 standards or ENISA guidelines includes:

Establishing Context: Understanding the environment and data.
Asset Identification: Hardware, software, people, paper, locations .
Threat Identification: E.g., hacking attack, fire.
Vulnerability Identification: E.g., outdated software, weak passwords.
Risk Estimation: The consequence is harm to a natural person, not just company loss.

2.2. Data Protection Impact Assessment (DPIA)

DPIA is required (Art. 35 GDPR) when processing is likely to result in a "high risk."

Mandatory Criteria (min. 2 required):

Scoring/Profiling.
Automated decision-making.
Systematic monitoring (e.g., CCTV).
Sensitive data on a large scale.
Processing on a large scale.
Matching/Combining datasets.
Data of vulnerable subjects (e.g., children, employees).
New technologies (AI, IoT).
Data transfer outside the EEA.

DPIA Methodology:

Description of processing operations.
Assessment of necessity and proportionality.
Assessment of risks to rights and freedoms.
Remedial measures (Mitigation).
DPO Opinion.
Consultation with the DPA (if residual risk remains high).

2.3. Integration of DPIA with Project Lifecycle

DPIA should be initiated at the concept stage (Privacy by Design), allowing for cost-effective problem resolution.

Chapter III: Technical Data Protection Measures - Cryptography and Standards

3.1. The Role of Cryptography

Encryption is one of the most effective ways to protect data. A leak of encrypted data (with a secure key) minimizes risk.

3.2. Recommended Standards (BSI / ENISA)

Symmetric Encryption:
- Algorithm: AES.
- Key: Min. 128 bits (recommended 256 bits).
- Mode: Avoid ECB; use GCM or CBC.
Asymmetric Encryption:
- RSA: Min. 2048 bits (migrate to 3072/4096). 1024 bits are broken.
- ECC: NIST P-256, P-384, Curve25519 curves (min. 256 bits).
Hash Functions and Passwords:
- Hashing: SHA-2 and SHA-3 family.
- Passwords: Argon2id, bcrypt, PBKDF2 (with salt). Avoid MD5, SHA-1.

3.3. Encryption in Transit and at Rest

Data in Transit: TLS 1.2 or 1.3. Disable SSL and old ciphers. Use HSTS.
Data at Rest:
- Mobile devices: Full Disk Encryption (FDE) - BitLocker, FileVault.
- Databases: TDE or column-level encryption.

3.4. Post-Quantum Challenge (PQC)

The "Store Now, Decrypt Later" threat forces planning for migration to quantum-resistant algorithms (e.g., ML-KEM, ML-DSA), especially for data with long retention periods.

Chapter IV: Identity and Access Management (IAM)

4.1. Multi-Factor Authentication (MFA)

Login and password are not enough. MFA is the "state of the art" standard. It relies on: Knowledge (password), Possession (token/phone), and Inherence (biometrics) .

4.2. Password Management and Access Policies

Passwords: Long phrases (passphrases) instead of complexity. No forced expiration every 30 days (unless there is an incident) .
Separation of Duties: Least Privilege principle. Administrator accounts should not be used for daily work.

Chapter V: Network Infrastructure and Operational Resilience

5.1. Network Segmentation

Protection against ransomware requires dividing flat networks into segments (VLANs) for different departments, guests, and IoT, and using NGFW firewalls .

5.2. Backups and Ransomware

Strategy: 3-2-1 (3 copies, 2 media types, 1 offsite).
Immutability: Offline or immutable copies (WORM).
Testing: Regular restoration attempts (GDPR requirement).

5.3. Logging and Monitoring (SIEM)

Logs are essential for detecting an incident and reporting it within 72h. Logins, data access, and administrative operations must be recorded, preferably in a SIEM system .

Chapter VI: Privacy Engineering - Privacy by Design and Privacy by Default

6.1. Design Patterns (Hoepman Strategies)

Data-Oriented: Minimise, Separate, Abstract, Hide .
Process-Oriented: Inform, Control, Enforce, Demonstrate .

6.2. Privacy by Default in Practice

Protection must be the default setting. The user should not have to change settings to protect privacy (e.g., empty checkboxes, non-public profiles) .

Chapter VII: Incident Management and the 72-Hour Procedure

7.1. Incident Management Phases

Preparation: IRP plan, CSIRT team.
Detection: Detection and establishing the moment of "becoming aware" of the breach.
Triage: Is it a data breach? Risk assessment.
Containment: Isolating systems.
Eradication and Recovery: Clean backups.
Notification:
- To the DPA (if risk > low) within 72h.
- To individuals (if risk is high).
Post-Incident Activity: Lessons learned and security improvements.

7.2. Pitfalls

Documentation in the Breach Register is key – even the decision not to report an incident must be justified in writing.

Chapter VIII: Specific Processing Contexts

8.1. Remote Work (Home Office)

Mandatory VPN.
Prohibition of using private hardware (unless in a containerization model).
Physical security of screens and documents.

8.2. Cloud and Supply Chain

Shared Responsibility Model.
Verification of provider certificates (ISO 27001).
Data location (EEA vs. USA).

Chapter IX: Sector Compliance

Financial Sector: KNF Recommendation D (test environment management, anonymization of production data) .
Healthcare Sector: Long retention (20 years), requirement for 24/7 continuity (threat to life from ransomware) .

Summary and Recommendations

Integration: GDPR security and IT security are the same thing.
Basics: MFA, encryption, patching, and backups account for 90% of success.
Awareness: Regular training and phishing tests.
Readiness: Assume an incident will happen and have a plan.

GDPR and Cybersecurity: A Practical Guide - Strategies, Technology, and Operationalization of Compliance

Introduction

Chapter I: Legal and Technical Foundations of Processing Security (Article 32 GDPR)

1.1. Evolution from Rigid Requirements to a Risk-Based Approach

1.2. CIA Triad vs. GDPR Requirements: An Expanded Perspective